FANews
FANews
RELATED CATEGORIES
Category Legal Affairs
SUB CATEGORIES General | 

Petya or NotPetya – under POPI you must report

04 July 2017 Norton Rose Fulbright

Barely recovering from the WannaCry ransomware attack, many across the globe now have to deal with the latest ransomware attack, NotPetya. Originally thought of to be the Petya ransomware for making money, security analysts quickly realised that the current cyber-attack was not designed to make money. It appears that NotPetya has actually just been designed to cause maximum damage, while disguising itself as ransomware.

You know you’ve been affected by NotPetya if you receive a message that your files have been encrypted with a demand to pay US$300 in Bitcoin. Unlike with WannaCry there is no ‘kill-switch’ with NotPetya. A ‘kill-switch’ enables tech-wizards to infiltrate the malware and stop it from encrypting data or causing damage.

The NotPetya ransomware has affected large organisations all over Europe and the US, with the Ukraine to have been hardest hit by it. See this timeline for some high-profile attacks and how NotPetya has unravelled.

In South Africa, there is currently no legal obligation on companies to notify anyone, either a local authority or customers of the company. Barring any confidentiality or similar contractual obligation that companies may have to customers, companies do not have to publicise their breach. However, once the Protection of Personal Information Act 2013 (POPI) commences there will be an obligation on organisations to report data breaches to the information regulator and customers; and once the Cybercrimes and Cybersecurity Bill is enacted there will be new offences created that will make cyber-attacks and breaches illegal in South Africa.

South African companies with affiliates or headquarters in other jurisdictions may currently have notification obligations in terms of those foreign laws, so bear this in mind if you have been affected by NotPetya and have operations overseas.

Companies may also notify people potentially affected by a data breach as a policy decision or good practice, although proper legal and public relations advice should be taken before doing so.

By Kerri Crawford (SA) and Rakhee Bhikha   
First published by: Financial Institutions Legal Snapshot

Quick Polls

QUESTION

How effective do you think technology is in improving compliance processes for FSPs?

ANSWER

Very effective – it streamlines and automates processes
Somewhat effective – helps but can't solve all issues
Not effective – technology can't replace proper oversight
fanews magazine
FAnews October 2024 Get the latest issue of FAnews

This month's headlines

The township economy: an overlooked insurance market
FSCA regulates crypto assets: a new era for investors
Building trust: one epic client experience at a time
Two-Pot System rollout underlines the value of financial advice
The future looks bright for construction
Subscribe now